Privacy Policy

Swivel Secure Privacy Policy

Effective Date: October 25, 2025

Swivel Secure Limited, a private limited company registered in England and Wales, whose registered address is Regus City West, Building 3, Gelderd Road, Leeds, LS12 6LN (registered company number 04068905) (“Swivel Secure,” “We,” “Our,” or “Us”), is committed to protecting the privacy and security of your personal information.

This Privacy Policy explains how We collect, use, disclose, and protect your Personal Information when you visit our website at www.swivelsecure.com, our associated customer support portal at supportdesk.swivelsecure.com (collectively, the “Sites”), and when you use our products and services.

We have designed this policy to be compliant with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), among other applicable data protection laws.

1. Contact Information and Data Protection Officer (DPO)

Detail	Information
Company Name	Swivel Secure Limited
Registered Address	Regus City West, Building 3, Gelderd Road, Leeds, LS12 6LN, UK
Data Protection Contact	dataprivacy@swivelsecure.com
Data Protection Officer (DPO)	Howard Freeman

2. What Personal Information We Collect

We collect Personal Information from you directly, automatically through your use of the Sites and Our products, and from third parties, such as our Reseller Partners.

Category of Personal Information	Examples of Data Collected	Source of Data
Contact and Identity Data	Name, job title, company name, email address, phone number, physical address, and user ID.	Direct from You, Reseller Partners.
Technical Data	IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform.	Automated via Sites and Products.
Usage Data	Information about how you use our Sites, products, and services, including pages viewed, links clicked, and login history.	Automated via Sites and Products.
Commercial Data	Records of products or services purchased, licensed, or considered, and payment/billing information.	Direct from You, Reseller Partners.
Support and Inquiry Data	Information you provide when contacting our support desk, including the content of your communications.	Direct from You.

3. How We Use Your Information and Lawful Basis for Processing

We will only use your Personal Information when the law allows us to. Under GDPR, we rely on the following lawful bases for processing your data:

Purpose of Processing	Categories of Data Used	Lawful Basis (GDPR)
To Provide Products and Services	Contact, Technical, Usage, Commercial.	Contractual Necessity (To fulfill our contract with you or your employer).
To Manage Our Sites	Technical, Usage.	Legitimate Interests (To ensure our Sites are secure and function correctly).
To Communicate with You	Contact, Support.	Legitimate Interests (To respond to inquiries and provide customer support).
Marketing and Promotions	Contact.	Consent (Where required by law) or Legitimate Interests (For existing customers, where permitted).
Legal Compliance and Security	All categories.	Legal Obligation (To comply with legal requirements) and Legitimate Interests (To prevent fraud and ensure security).

4. Sharing Your Personal Information with Reseller Partners

As a software vendor, Swivel Secure operates a channel-based sales model and relies on a global network of authorized reseller partners, distributors, and system integrators (“Reseller Partners”) to market, sell, and support our products and services.

We may share your Personal Information with our Reseller Partners for the following business purposes:

Purpose of Sharing	Categories of Personal Information Shared	Lawful Basis (GDPR)
Sales and Lead Qualification	Name, Job Title, Company Name, Business Email, Business Phone Number, Country.	Legitimate Interests (To pursue sales opportunities and manage our channel strategy).
Fulfilling Product Orders and Licensing	Name, Company Name, Installation/Deployment details, License Key information, Billing Contact.	Contractual Necessity (To fulfill the contract for the product or service you have purchased).
Providing Local Support and Training	Name, Business Email, Company Name, Support Ticket History, Product Usage Data.	Legitimate Interests (To ensure you receive timely and localized technical support).
Marketing and Business Development	Name, Company Name, Business Email (where consent has been provided).	Consent or Legitimate Interests (where permitted by local law).

Safeguards and Compliance: We only share data with Reseller Partners who are under a contractual obligation to maintain appropriate technical and organizational security measures and to process the data only for the purposes specified by Swivel Secure and in compliance with applicable data protection laws.

5. Other Third-Party Disclosures

We may also share your Personal Information with other third parties, including:

Service Providers: Third-party vendors and service providers (e.g., cloud hosting, payment processors, analytics providers) who perform services on Our behalf.
Legal and Regulatory Authorities: When required by law, such as to comply with a subpoena or other legal process.
Business Transfers: In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of Our business.

6. Mobile Application Privacy and Biometric Data

Our Swivel Secure mobile application utilizes device-native biometric authentication methods, such as Face ID and fingerprint recognition on Apple devices, and equivalent biometric methods on Android devices, solely to authenticate the end-user.

Crucially, Swivel Secure does not access, collect, store, or share any of your biometric data. The biometric authentication process is managed entirely by your device’s operating system and its secure enclave (or equivalent secure hardware). We only receive a confirmation token from your device indicating successful authentication.

Other Mobile Application Data: The mobile application may collect Technical Data and Usage Data to monitor performance, diagnose technical issues, and improve the user experience. This data is treated in accordance with the rest of this Policy.

7. Cloud Product Data Retention and Deletion

Swivel Secure offers its cloud-based services (the “Cloud Product”) to customers. The Cloud Product operates on dedicated Amazon Web Services (AWS) EC2 instances managed by Swivel Secure and is accessed by customers via a web interface and Our mobile application. The Personal Information collected through the Cloud Product is consistent with the categories outlined in Section 2 of this Policy.

Post-Termination Data Retention and Deletion

Upon the termination or expiration of a customer’s Cloud Product subscription, we implement the following data retention and deletion protocol:

Grace Period (60 Days): We will retain all customer data associated with the terminated subscription for a period of sixty (60) days following the effective date of termination. This period serves as a grace period, allowing the customer to renew their subscription, retrieve their data, or request data portability.
Data Portability: During the 60-day grace period, the customer may request a copy of their data in a standard, structured, and commonly used electronic format. We will provide this data copy in accordance with our contractual obligations and the user’s Right to Data Portability under GDPR (where applicable).
Secure Deletion: Following the conclusion of the 60-day grace period, all customer data, including backups and logs, will be permanently and securely deleted from Our production and backup systems. This deletion is irreversible.

This retention period is necessary to fulfill our legitimate interest in providing a reasonable recovery window for our customers, while also ensuring compliance with the principle of storage limitation under GDPR by not retaining data longer than necessary.

8. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your Personal Information:

A. Rights under GDPR/UK GDPR (For EU/UK Residents)

Right of Access: To request a copy of the Personal Information We hold about you.
Right to Rectification: To request that We correct any inaccurate or incomplete Personal Information.
Right to Erasure (“Right to be Forgotten”): To request that We delete your Personal Information, under certain conditions.
Right to Restriction of Processing: To request that We restrict the processing of your Personal Information, under certain conditions.
Right to Object to Processing: To object to Our processing of your Personal Information, under certain conditions.
Right to Data Portability: To request that We transfer the data that We have collected to another organization, or directly to you, under certain conditions.
Right to Withdraw Consent: Where We are relying on consent to process your Personal Information, you have the right to withdraw that consent at any time.

B. Rights under CCPA/CPRA (For California Residents)

Right to Know: To request that We disclose the categories and specific pieces of Personal Information We have collected about you.
Right to Delete: To request the deletion of your Personal Information, subject to certain exceptions.
Right to Opt-Out of Sale or Sharing: You have the right to direct Us not to sell or share your Personal Information to third parties. As defined by CCPA/CPRA, the sharing of data with our Reseller Partners for cross-context behavioral advertising may be considered “sharing.”
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to Exercise Your Rights: To exercise any of these rights, please contact Us using the details provided in Section 1. We will respond to your request within the timeframes required by applicable law.

9. Data Security and International Transfers

Data Security: We have implemented appropriate technical and organizational security measures designed to protect your Personal Information from accidental loss, unauthorized access, use, alteration, or disclosure.

International Data Transfers: Swivel Secure is a UK-based company, but we operate globally and utilize service providers and Reseller Partners worldwide. This means your Personal Information may be transferred to, and processed in, countries outside of the UK or European Economic Area (EEA).

Where We transfer your Personal Information outside the UK/EEA, We ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

Transferring Personal Information to countries that have been deemed to provide an adequate level of protection for Personal Information by the European Commission or UK government.
Using specific contracts approved for use in the UK/EEA which give Personal Information the same protection it has in the UK/EEA (e.g., Standard Contractual Clauses).

10. Data Retention

We will only retain your Personal Information for as long as necessary to fulfill the purposes for which We collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, We consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which We process your Personal Information, and applicable legal requirements.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with a revised Effective Date. If We make material changes to how We treat your Personal Information, We will notify you through a prominent notice on the Sites or via email. We encourage you to review this Privacy Policy periodically to stay informed about how We are protecting the Personal Information We collect.

EU Representative: Fortis DPC
Viscount House, 6-7, Fitzwilliam Square, Dublin 2. Ireland
Contact: admin@fortis-dpc.com

End of Policy

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.